Security guidance lacking for virtual data management, expert says

For the large number of businesses moving toward virtual IT, security appears to be the one missing link.

David McNeely, senior director of product management for virtualization solutions vendor Centrify, said in a recent interview with Virtual-Strategy Magazine that many businesses using virtual technology have expressed the same concern – a lack of guidance in security.

"When it comes to Infrastructure-as-a-Service, one of the realities we hear from customers is that security – in the form of authentication and access control – is largely left to the customers," McNeely told Virtual-Strategy Magazine. "To do this effectively in a dynamic environment requires an automated security infrastructure that allows critical security and compliance policies to be applied consistently as every new system is initialized within a hosted environment."

As this trend has developed, access and control have emerged as top IT security threats, McNeely added.

"The rapid adoption of virtualization technologies, combined with the ability for business-critical guest systems to proliferate and seamlessly move across a data center, can lead to gaps in both management and security practices," McNeely said. "In these dynamic environments, it is extremely difficult to secure data and control who has access to the underlying hypervisor platform, and strictly define what someone accessing the data can do based on their job role."

In his interview, McNeely touched upon an interesting dynamic in the enterprise IT sector. Experts, analysts and regulators across several industries have pointed to a lack of security, even while the demand for virtualization has skyrocketed. Companies and organizations in some of the most data-intensive industries, such as healthcare and financial services, have flocked toward virtualization to establish a foothold in the technology.

However, as respective industry authorities have pointed out, standards that dictate security and control remain lax.

The PCI Security Standards Council, which traditionally oversees the security and regulations of payment cards, has responded to the growing use of virtualization to transfer sensitive payment data. Earlier this year, the PCI SCC witnessed the trend and promptly crafted a new guidance report aimed at extending its Data Security Standards to the technology.

However, those in other industries may not be so lucky. Efforts in healthcare, for example, appear to be lacking when it comes to compliance. A survey released by GlobalSign in May found that just 56 percent of responding healthcare IT security managers spend 25 percent to 100 percent of their efforts dealing with compliance and data breaches.